San Francisco New York I[e),avie “Shanghai _ Berlin - |[eyalelo 


These are confidential sessions—please refrain from streaming, blogging; or taking pictures -,. 


Security and Privacy 
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Security Checklist 


@ericuaccaren 
(_) Secure Transport 
Qsaetieneereliare 


Privacy Checklist 


(_) Identifiers 
() Data Isolation 
( ) Data Collection 
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— iExplorer 


4 f=] OO so | |ml | oO * 
Back View Mode Quick Look Action 


0 Paul's iPhone A iExplorer § Paul's iPhone @B Apps Ey wwoc > (oj Library > (5 Preferences 


Name File Type Size Date Modified 
Al Media DDL IVeWs 9/7/13, L044 AW 


developer.apple.wwdc-Release.plist 


BofA 7/24/13, 3:29 PM 
nee EJ Dropbox 9/19/13, 1:49 AM 
>‘) Backups fi Find Friends 8/22/13, 3:39 PM 
Mn O Mares) © Google Maps 8/28/13, 11:11 AM 
Books 9/17/13, 11:32 PM 

> @ ‘Cioud KQED 7/10/13, 7:26 AM 
[Q Books () PennyTalk 9/17/13, 10:44 AM 

> 7 Media Library [5] Skype 9/19/13, 1:49 AM 
Tokyo 9/19/13, 1:49 AM 

> JK Bookmarks Ry united 9/17/13, 10:44 AM 


a Browse iTunes Backu E§wwoc 7/10/13, 7:25 AM 
nes ps 


| ) Documents 475 kB 7/17/13, 6:33 AM 

> F) Paul Danbold's iPad WWDC-2013.sqlite SQLITE 442 kB 6/11/13, 10:25 AM 
> 2) Paul Danbold’s iPad WWDC-2013.sqlite-shm SQLITE-SHM 32 kB 7/17/13, 6:33 AM 
WWDC-2013.sqlite-wal SQLITE-WAL 7/17/13, 6:33 AM 

> "© Paul Danboid's iPhone (Bi Library 10 kB 7/10/13, 7:25 AM 
> 2) Paul Danbold's iPod (Caches 68B 7/10/13, 7:24 AM 


|) Cookies 7 kB 7/1/13, 2:10 PM 
Cookies. binarycookies BINARYCOOKIES 7 kB 7/1/13, 2:10 PM Size: 1kB 
> ©) Paul's iPhone LijPreferences 1 kB 7/10/13, 7:25 AM Last Modified: Jul 1, 2013, 2:10 PM 
~ -GlobalPreferences.plist PLIST 64B 7/10/13, 7:25 AM Type: PLIST 
a com.apple.PeoplePicker.plist PLIST 68B 7/10/13, 7:25 AM Location: /Library/Preferences 
com.apple.ist.ds.appleconnect.mo... PLIST 172B 6/6/13, 1:51 PM 
© Biceveloper applewndc-Release plist [PUST | kB) 7/1/13, 2:10 PM 
_ )SyncedPreferences 1 kB 7/10/13, 7:25 AM 
developer.apple.wwdc-Release.plist PLIST 1 kB 7/10/13, 7:25 AM 
LD WWDC.app 7/10/13, 7:24 AM 
TunesArtwork 91 kB 7/10/13, 7:24 AM 
Tunes Metadata.plist 2 kB 7/10/13, 7:24 AM 


> ©) Paul's iPhone 


LJjitmp 68B 7/10/13, 7:25 AM 
“% Y! Search 7/10/13, 11:26 AM 
yelp 9/6/13, 7:00 PM 

YouTube 8/20/13, 9:38 PM 


DE lecmaaelesaulele 


¢ Encrypts data to the device and the user’s passcode 
¢ As strong as the user's passcode 
¢ Protection classes control when data Is available to your app 


ma tan) ©)icerslace)asmce)ar-] 0) Omie-1e= 


[data writeToFile: filePath options: @S6ateWriérnoFljieProtectionComplete 
error: error]: 


Data Protection Classes 


¢ Keychain: 


"kSecAttrAccessiblewWhenUn Locked, 
kKSecAttrAccessibleAfterFirstUn lock, 


¢ NSFileManager and Core Data: 


"NSFileProtectionComplete, NSFileProtectionComp leteUnLlessOpen, 
NSFileProtectionComp LeteUntilFirstUserAuthentication, 


as) DY 1 tsb 


*NSDataWritingFileProtectionComplete, 
NSDataWritingFileProtectionCompleteUnlessOpen, 
NSDataWritingFileProtectionComp LeteUntilFirstUserAuthentication, 


Keychain Access When Device is Locked 


¢ Use kSecAttrAccessibleAfterFirstUnlock for items required while running in the 
oy-le.<o]celelare 


¢ Mitigate risks by making less protected items read-only and delete them after 
Xo) atom Ol a(ele me) malanl= 


¢ Use derived key (e.g. PBKDF#2) instead of user’s password 


File Access When Device is Locked 


¢ Use intermediate protection class for data acquired in background 
= NSFileProtectionCompleteUnlessOpen or 
= NSFileProtectionCompleteUntilFirstUserAuthentication 


¢ Later, when device is unlocked, upgrade the protection class or merge newly 
acquired data into a protected file 


DY lee eaceleseulelamiam Ohm, 


a Cove at- liam) alealcolaly4iale mule miaelere 
¢ State Restoration archive is data protected 
¢ Installed apps are data protected by default 


Data Protection 


Steps: ¥ Ac 


Sy arelalcolalyéiavemc-aear-liamicsaal 


¢-ltems without kSecAttrSynchronizable = kCFBooleanTRUE are not 
synchronized (default) 


¢ Limited to passwords (kSecC LassGenericPassword and 
kSecC LassInternetPassword) 


¢ For shared, synchronized items, use the same kSecAttrAccessGroup name 
¢ Avoid persistent references to synchronizable items 
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Security Checklist 


@) Data Protection 
(_) Secure Transport 
Qsaetieneereliare 


Privacy Checklist 


(_) Identifiers 
() Data Isolation 
( ) Data Collection 


Secure Transport 
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Charles 3.8 - Session 1 * 
w 
Structure 


RC  Mthd Host Path Duration Size Status 
200 GET notify4.dropbox.com:80 /subscribe?host_int=319214814&ns_map=16481928... 32868 ms 570 bytes Complete 


Mi Co... |mservice.bankofamericac..) |__| 50688 ms 46.93 KB Complete | 


200 GET EVSecure-ocsp.verisign.com /MFYWVKADAGEAMEOwSzB)JMAKGBSsOAWIaBQAEFEWn1... 691 ms 2.53 KB Complete 
200 GET EVSecure-ocsp.verisign.com /MFYWVKADAGEAMEOwSzB)JMAKGBSsOAwlaBQAEFLnpso... 694 ms 2.44 KB Complete 
200 GET notify4.dropbox.com:80 /subscribe?host_int=319214814&ns_map=16481928... 44840 ms 570 bytes Complete 


Filter: Settings 


Overview Request eet Summary Chart Notes 


1 QMwq—eC° Faui ~H** f ‘ahe-+°031¢ RA, ,owlp{—=bEoETALc$0’x 'G0de"~ “4 0-e0Ca0Clizt=ZX6; “tlAd{-70 *UHU"OAsS10 UUS 
10U 

2 VeriSign, Inc.10U VeriSign Trust Network1;09U 2Terms of use at https:/ /www.verisign.com/rpa (c)061402U+VeriSign Class 3 Extended Validation SSL 
CAO 1302150000002 140216235959Z0C+10 +C7<US10 +C7<Delawarel10UPrivate Organization10U29274421 0 UUS10 U60603 


10UIllinois LOUChicago10U 135 S La Salle St1$0"U 
3 Bank of America Corporation10U Network Infrastructurel1#0!Umservice.bankofamerica.com0C"0 *UHU~COC 
4 COEHRA>mTLhF  C9GO4€E™ +r, ¢4¢#my@§-syz id J=\Oajl fBOU*AW:¢[! 4©a/Y1{fd 
5 AtVg *:1i§*PiC-U|@eay\ A g€rmE]yOGQM"y3 * Oa-KoEd|A&aw j6fyVé o"@cejOdftyaSe  fAIV=.Y™£aa...5€,a° O7[T'E>2AQ*$ ,c&SiOcaH9g , CU—+> 0 aBZR 
\lz€j*G+¢7l7y 
6 AS™’¥rl#BCE o3A°z\l6 Ask £CIOCEQeUA0\ Ceib-rest.bankofamerica.comC"mservice-darkpod.bankofamerica.comCmservice.bankofamerica.com0 U00 
UouS1af]B1 > 
7 flu,§+6 -@OU~ +0BU;0907+5+3U Lhttp:/ /EVSecure-crl.verisign.com/EVSecure2006.cri0DU =0;09 ~UHU E0*0(+https:/ /www.verisign.com/cps0 
U%0++0U#0A , aP fGm%Z{UOO0iceEXkCO|+p0n0-+O0U!thttp:/ /EVSecure-ocsp.verisign.com0=+0U Lhttp:/ /EVSecure-aia.verisign.com/E 
VSecure2006.cer0 *UHU” Ci rdl<TA6~ p<aD~\a\ 1j)E"%HX&0y 
B F°D«" A'@O2e)EXY: dULEI-iw€]]/&OFi=%ollGr Qe “Vy 
9 /;iyaf=>#A=VJOA'al* 55% ONEC4eU&"A luznlFV7i- #fLev&6>+0-<U,°-MCWEVGeG@e @<<-c” £4,/P 6-6A°MS BtA~h/E @8/f«%>A= >O 
eSpIWSY#7fleOV=3/E:=0kt-d64|R=%%?, = £W(3) rr EOC%OCAT[WYAN-A«'32i)(kO *UHU"0A 10 UUS10U 
10 VeriSign, Inc.10U VeriSign Trust Network1:08U 1(c) 2006 VeriSign, Inc. - For authorized use onlyl1EOQCU<VeriSign Class 3 Public Primary Certification 
Authority - G50 061108000000Z 161107235959Z0As10 UUS10U 
11 VeriSign, Inc.10U VeriSign Trust Network1;09U 2Terms of use at https:/ /www.verisign.com/rpa (c)061402U+VeriSign Class 3 Extended Validation SSL 
CAOC"0 *UHU~COC 
12 Co€tUlG’y,6n+[o#anavdu8;ytz¥c £*aH©AUG0Z6 I™%cirb#6° ZT(O= -So"d» ~ Bay FOTeDOxtS"ITOMALll FIA; AUK FEDS 30 s1GJi$ Lr >avxxdl~7A4104-5-<AS 
VUAt4N7~35/e8?PSi(£uf_6RHCFRAICIO” x, /Aqadlhr%éoz{s...mQ” 6A2AUE~= £Ld—N°&e ~ 6Xx-3alh>+'Eoz,/6i~\"" QEC"OCCEOU , aP f Gm%Z{UOOIceEXkC 
0U~0°0=U 60402U 0*0(+https:/ /www.verisign.com/cps0=U60402+0t.U,http:/ /EVSecure-crl.verisign.com/pca3-g5.cri0U “0 “UHU'B 


Headers Text | Hex Raw 


GET http://notify4.dropbox.com:80/subscribe?host_int=319214814&ns_map=164819281 4282247213393,321951971 38976657635 ,322917187_69042393923,164832846 2585735145038,189782327_ 1208622775327 l&user_id=1014306 
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TLS in a Nutshell 


¢ Client and Server agree on which version of TLS, cipher suite, and compression 
mode to use 


¢ Server provides its TLS certificate and Client must validate it 


¢ Client and Server exchange keys to enable encrypted communication during the 
TLS session 
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+/¢ www.apple.com 


News ¥ Apple v Security * Printing 3D Printing 7 


ee 


Money  Yoga’Y 


Safari is using an encrypted connection to www.apple.com. 


Encryption with a digital certificate keeps information private as it's sent to 
75) or from the https website www.apple.com. 


Baltimore CyberTrust Root 
Cybertrust Public SureServer SV CA 


www.apple.com 


www.apple.com 
Issued by: Cybertrust Public SureServer SV CA 
Expires: Wednesday, March 12, 2014 at 7:05:39 AM Pacific Daylight 
Time 
@ This certificate is val 
Trust 


When using this certificate: Use System Defaults 


no value specified 


no value specified 


US 
CALIFORNIA 
Locality Cupertino 
Organization Apple Inc. 
Common Name www.apple.com 


issuer Name 


pESy-lalem\(olelaaye)e 


¢ When certificate chain validation fails 

- do not bypass failures 

= do not ask the user to decide 

« fix the server 

wee) ahs} (e(<1 mm =1 00] el-1ele lave mesa uiiler-1csmlamy(el0|ar-]e) © 
¢ When you want more 

= take control of server trust evaluation 
¢ Sample code 


a A140 OSSHAL0(=NV.=1 (0) Ol=] fe] ©) ©)(=MGO) A AVAILC) F-1AZALONT A= 100] (16010 (<7 nX@ N/-] 0162101013) me) a) al=veldle) abs 


Secure Transport vs OpenSSL 


¢ Secure Transport 
= FIPS 140-2 certified 
- Hardware accelerated crypto 
= Optimized for iOS devices 
¢ OpenSSL 
am Vie) c-eole( =m re) mele ar.) e)e 
= More work to integrate and test 


¢ Sample code 
= https://developer.apple.com/library/mac/samplecode/CryptoCompatibility 


Security Checklist 


@) Data Protection 
C \ISieUlccmicclarsereyat 
Qsaetieneereliare 


Privacy Checklist 


(_) Identifiers 
() Data Isolation 
( ) Data Collection 


Secure Coding 


Platform Security 


¢ Secure Boot Chain 
a Goto (=ms)(e]ariare 

sy: 1010] ole), 

¢ Entitlements 

¢ ASLR 


¢ iOS Security 
smn alad OM #Al aat-[e[=-] ©) ©) (neo) 0 nVAl ©)ale)al=740l UK |al=ss-740 (016-74 | Os Mmsy-16101 818 /am Olea PA ele) 


Clang Static Analyzer 


=~ 


(Assetx) LocalizedAssetWithName: (NSString *)name 
inBundle: (NSBundle *)bundle { 

NSString xpath; 

NSString xl; 


path = [Asset pathForAssetName: name 
inBundle: bundle]; 
id a = [[Asset alloc] initWithPath:path] ; 


Ll = [self localizedAssetName: name & 1. Value assigned to 'I' 
inBundle: bundle] ; 
if (!1) & 2. Assuming 'I' is nil 
NSLog(@"unable to localize '%@'", name); 


[a setName:name localized: lL]; & 3. Passing nil object reference via 2nd parameter ‘I’ 
return a; ©) 4. Calling 'setName:localized:' 


localized: (NSString x*)1l { 


C" void)setName: (NSString *)name © 5. Entered call from ‘localizedAssetWithName:inBundle:' 


} 


sL@" LocalizedName"] = lL: €) 6. Value stored into 'NSMutableDictionary' cannot be nil 
es{@"name"] = = name; 


Secure Text Entry 


¢ Marking text as secure 


textField.securefextEntry = YES; 


Text View 


Text 


Color 

Font 
Alignment 
Behavior 


Detection 


Capitalization 
Correction 
Keyboard 
Appearance 


Return Key 


Plain 
Secret message 


Mmm Default 


Helvetica Neue Light 18.0 


WV Selectable 


Vv Editable 


Links Addresses 
Phone Numbers 
Events 

Sentences 

Default 

Default 

Default 


Done 


Auto-enable Return Key 
JV Secure 


Secure Text Entry 


¢ Asking for a user name and password 


Bame Seo 
ale rt . ale rtViewSty le = Logging in first time. 
UIAlertViewSty LeLoginAndPas 


Swordinput; 


¢ Asking for a password 


Enter Password 


What is Paul's password? 


alert.alertViewStyle = 
UIAlertViewSty leSecureTextl 
alelenar 


Purge Sensitive Data 


- Zeroing memory 


bzero(&sensitiveData, sizeof(sensitiveData) ): 


Hide Sensitive Data from App Snapshots 


¢ Before snapshot is taken 
— (void) applicationWillResignActive: (UIApplication x*)application {t 
[ UIApplication sharedApplication ].keyWindow.hidden = YES; 


¢ Before app is switched to background 
— (void) applicationDidEnterBackground: (UIApplication *)application { 
[ UIApplication sharedApplication ].keyWindow.hidden = YES; 
} 


Version Checking 


if (floor(NSFoundationVersionNumber) <= NSFoundationVersionNumber i0S 6 Q) 


e // tell user to upgrade? 
} else { 
° // run! 


Tamper Detection 


The Fragility of Jailbreak Detection 


op 8 oe eo) 01-1 0 a Ot cd) 9 ee 
if (f '= NULL) ¢{ 

// pirated! now what do we do? 
} 

fclose(f) 


Security Checklist 


@) Data Protection 
C \ISieUlccmicclarsereyat 
C esicrallcen@erellare 


Privacy Checklist 


(_) Identifiers 
() Data Isolation 
( ) Data Collection 


Platform Privacy 


Privacy 


_ Calendars 
Reminders 
= Photos 
p Bluetooth Sharing 


6 Microphone 


(©) twitter 
Ej Facebook 


Advertising 


Restrictions 


PRIVACY: 


Location Services 
Contacts 
Calendars 
Reminders 
Photos 

Bluetooth Sharing 
Microphone 
Twitter 

Facebook 


Advertising 


“Camera” Would Like to Use 
Your Current Location 


Photos and videos will be tagged with 
the location where they were taken. 


Don't Allow 


Identifiers 


UDID Replacement APIs 


elo) of Bic: 
Application ID fale) @ Oletiasirlliecleye 
\V/=} ale (olan Dy Developer Uninstall 


developer's apps 


Erase all Content 


Advertising ID BYavile: and Settings 


Backed Up 


Yes 


Yes 


Yes 


Restores 
Across Devices 


Yes 


No 


Xe 


Other Restrictions 


¢ MAC Address 


RYAS1on 0 \\| oll OO od lO DO | (0 Woon al WMO LOCH NGO) \ ummm olo)damc-idel gam ma@elalir-lale 
value @2:00:00:20:00:20 on iOS 7 


Ua ke) <-lals 
application: didRegisterForRemoteNotificationswithDeviceToken: 
¢ Named Pasteboards 
smsX@0) 0] =10 MN KOMY(010] au =r- lan |B, 


D]felitclmmiatet-laelalaidiace 


¢ Device recognition based on collection of static metrics 
¢ Lacks transparency and potentially violates privacy 


Security Checklist 


@) Data Protection 
C \ISieUlccmicclarsereyat 
C esicrallcen@erellare 


Privacy Checklist 


Cymelniditas 
() Data Isolation 
() Data Collection 


Consent and Transparency 


Consent and Transparency 


< General _ Restrictions € Restrictions Microphone 


PRIVACY: 


Location Services Allow Changes 


“Camera” Would Like to Use 
Your Current Location 


Contacts Don’t Allow Changes 
Calendars 


—— Photos and videos will be tagged with 
the location where they were taken. 


SS 


Photos 


Bluetooth Sharing 
Microphone 
Twitter 


Facebook 


Advertising 


@omaeeaac 


location olate)nes: eo) al telat: Koaaliavelsec calendar 
bluetooth camera aalcel ce) e)avelal= motion 


Restrictions 


9:41 AM 100% = 


Restrictions 


PRIVACY: 


Location Services 


Contacts 


Calendars 


Reminders 


Photos 


Bluetooth Sharing 


Microphone 
Twitter 
Facebook 


Advertising 


9:41 AM 


Microphone 


Allow Changes 


Don’t Allow Changes 


100% = 


Purpose Strings 


Data Class 
Location 
mateliess 
@-(claterelas 
Contacts 
Reminders 
Bluetooth 
Wilrelce)e)ate)at= 


Motion 


Talvon elim Cy 

Nhs} eoYer-) de) a] Ukct-le [<1 DXoxxel a] oh a(e)a’ 
NSPhotoLibraryUsageDescription 

NbS\@-] (Jato f-] a1 kyle [=] Di =nxel a] elito)a 
NSContactsUsageDescription 
NSRemindersUsageDescription 
NSBluetoothPeripheralUsageDescription 
NISYIV/IKelxe) ©) ate) arelussy-le [=] Di=nxelglelitela 


NSMotionUsageDescription 


Testing 


moidanlssvle)amolsiiaremxelule|piar-lalemelr-laiccre 
mo)aanlssvle)amel=1/alemyelele|alar-laremelstaliare 
Permission previously denied 


Permission restricted 


¢ Sample code 


= https://developer.apple.com/library/ios/samplecode/PrivacyPrompts 


Security Checklist 


@) Data Protection 
C \ISieUlccmicclarsereyat 
C esicrallcen@erellare 


Privacy Checklist 


Cymelniditas 
@) Data Isolation 
Qe Prin eo)l(=arre 


Dele m@e)l (adele 


Privacy Policy 


Edit English 


App Name_ ITunes Connect Mobile 


Description The iTunes Connect Mobile app allows developers and 
iBookstore providers to access their catalog and sales data 
anywhere on their iPhone, iPad, or iPod touch. iTunes 
Connect users can also view the metadata for all of their 
titles and set specific titles as Favorites for easier tracking. 


What's New in this Version | Minor bug fix for push notifications. 
Adds support for iPhone 5. 


Keywords iTunes,Connect,Sales,Trends,Apps,Updates,Revenue,Developer, Tools 
Support URL http://itunesconnect.apple.com 


Marketing URL (Optional)  http:// itunesconnect.apple.com 


acy Paley URL(Optora) eee are 
recommended for all apps collecting 
user or device related data, and 
required for apps that offer auto- 
renewable or free subscriptions, or as 
otherwise required by law. 


App Review and Privacy 


17 Privacy 

17] rae) oMers al alelMeeelariaalimersltcMo]elelelm-MUnY-laanviaacelelmeleleclialiale maal-menyt— acm ela (e] my el—laanlis Jie) ale] arom e)cenleliare 
1d aL=MO k=) mA Ga rs(e@ tS KOM [aie)aaat-lale)am-]ecelurm ale)uvar-lalemualslccmualemer-lt-M Vl melomeniale 

179 PN 0) Oka UaY-) ml C=10 [0/1 Com UL Y=) 6M KOM) aT-] Com Ola] aXe) AT-M (alco) daar ide) apecielelam-kom=) aal-lim-lelelasciw-lale mer-ltome)mollauanmla 


ol co (=) mi Komiurateldle) ami melomcsy(sre care 


rN o) om ant \Var-)-),@1(0) mero] «= Mo)mm ol] naam (0) MU lYoMo)u als mr-le[cmeer-1e) ale manlsveat-laliank) me) alhVmroland arom Ol0]/seles\ome) i 
173 complying with applicable children's privacy statutes, but must include some useful functionality or 
entertainment value regardless of the user's age 


Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, 


email, location, photos, videos, drawings, persistent identifiers, the ability to chat, or other personal 
ofl) i ce)aam-manliave) mm aaleriaxeo)anle)\YmViUlaam-] e)e)i(er-]e)(-meall(e/c-1aWcom 0) ahVc-(@Vmcie-]de huss 


Security Checklist 


@) Data Protection 
C \ISieUlccmicclarsereyat 
C esicrallcen@erellare 


Privacy Checklist 


Cymelniditas 
@) Data Isolation 
@) Data Collection 
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